Siri hole can hack past your lockscreen to call and text contacts

A new exploit has been discovered in iOS 7.1.1 that lets anyone access your full contacts list and send an email, text or call — just by chatting with Siri.

Egyptian neurosurgeon and part-time hacker Sherif Hashim, apparently the first to discover the security hole, posted a YouTube video detailing the steps of the exploit.

Check out how easy it is for a prankster to hack your phone in the video below:

To gain access to a user’s contact list, all you have to do is call up Siri and give a single-word command like “Call,” “Text” or “Email.” Siri will then ask you to specify who you want to speak to, at which point you can tap to edit your previous command. Typing in a single letter will make Siri clarify your request, giving you access to the “Other…” option, which pulls up all your contacts.

Pulling off the exploit requires a bit of verbal finesse with Siri, but we were able to duplicate it in seconds on an iPhone 5s running iOS 7.1.1. Our friend Tal has also pointed out that the Tap to Edit exploit can be used to call any number worldwide from the homescreen.

It’s been a while since a bug has let would-be attackers circumvent the passcode, but luckily you can easily prevent an attacker from pulling up info by disabling Siri on the lockscreen.

We asked Apple if they’re aware of the bug and if a patch might be forthcoming. We’ll update you as we learn more, but you might want to disable Siri on your homescreen if you’re paranoid about someone snooping on your contacts and sending fake texts from your phone.

About the author:

I’ve tried this a few times and all i get is a prompt from Siri saying that she can’t find “X” in my contacts and then offers to search via locations. Anyone else getting that?

damn-u-pandora

watch the video.

Craig Macbeth

Followed it step by step and its not doing it

Craig Macbeth

Instead of “with whom would you like to speak” i get “who would you like to ring” then when I edit the top field exactly the same way as the video i then get asked “with whom would you like to speak” no other options. If it makes a difference i’m using English UK and a female voice on a 5S running 7.1.1

Tom

You can disable it.

Kr00

Does the author understand what the word “hack” means in the IT world? Because this is not a hack. A bypass yes, but not a hack. We wouldn’t be using inflammatory laungage to make a headline would we?

A hack allows a hacker access to the root or system of an OS.

damn-u-pandora

no. a hack is also an undocumented feature or a workaround. you wouldn’t be critiquing language without a dictionary would you?

Kr00

You obviously haven’t worked in any level of IT have you? There are literal and off handed definitions to “hack” something. Seeing as this IS a technology page, using correct terminology would help and is important. A hack is an exploit that gains root access to a system or OS that allows a hacker to control said system or OS. I’m not sure what 5th grade school book you read from, but in the technological world, terminology IS everything. Getting it wrong can get you fired. Why? Coding is an exact science, not guesswork. You don’t throw terminology around like confetti. Anything else I can explain to you?

http://www.dcapps.net/ Dario Caric

This is known and like Tom posted down it can be disabled depending on user will and it is not a hole. If somebody doesn’t want to see contact via Siri, he/she should set more restricted settings, that’s all

Sarcastic Curmudgeon

oy vey.

Marco Arana

it only works if you have a contact name and that contact has several phone numbers registered in your contacts. In the video it works because he has several contactas with only one letter: “A”.

Chris Joyce

I wrote to Cult of Mac about that moths ago. And I’m not a hacker. “Siri send text to”

Chris Joyce

From a stand-by iPhone, press and hold home button.Siri will activate.Speak: “Send text to NAME” (choose a known name from the Contacts).Siri will say: OK, what do you want to say to NAME?Say whatever you wish speaking slowly and clearly.Siri will say: OK, I’ll send your message.You will have to use your finger at this stage to select Send.Bingo! text sent to NAME.

tonny_m

Someone who says it’s a bug shouldn’t write articles about tech stuff, today Cult of Mac lost for me all credibility. Even Macrumors didn’t post it, guys I thought you could better than that.